Why am I here?
This year I am thankful for some vivifying vulnerabilities and exceptional exploits! The world of enterprise software security is certainly not slowing down as the holidays approach, so there is plenty of delicious content to gobble up in this month’s Bug Report, our quick and easily digested list of the most important bugs of the last 30 days. November was a capacious cornucopia of interesting infosec, so let’s break down a few of the most significant bits:
- CVE-2022-3786 + CVE-2022-3602: OpenSSL 3.0
- CVE-2022-40303 + CVE-2022-40304: libxml2
- CVE-2022-41622 + CVE-2022-41800: F5 BIG-IP
Although the vulns in OpenSSL 3.0 were announced the last week of October and feel like they happened forever ago at this point, they weren’t publicly disclosed until the first of November, meaning they just barely didn’t make it into last month’s Spooky Edition. Sorry for any confusion!
What is it?
November flew in with a SQUAWK as new “critical” vulnerabilities were announced in OpenSSL 3.0 in the last week of October before being disclosed on the first. CVE-2022-3786 and CVE-2022-3602 were discovered by Viktor Dukhovni and Polar Bear (aka Sandbox Escaper), respectively, and involve buffer overflows in the process of X.509 certificate verification.
Everyone was on the edge of their dining room chairs fearing that this could be HeartBleed 2.0, an easily exploited bug that could lead to disclosure of sensitive information or worse, full control over the victim machine. Luckily, these two bugs turned out to be difficult-to-impossible to exploit due to modern mitigations, and they required that the certificate come from a trusted authority (or that the verification process continue despite trust errors). Combined, these requirements led the vulnerabilities to be lowered in severity from “critical” to “high.” However, these are still significant bugs due to the ubiquitous usage of OpenSSL, though many may still be on versions earlier than 3.0, which are not affected.
What can I do?
From OpenSSL.org: “Users of OpenSSL 3.0.0 – 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible.”
CVE-2022-40303 + CVE-2022-40304: Xml parsing vulnerabilities just in time for xmas
What is it?
There are some new XML vulns just in time for the Xmas season. Maddie Stone, Ned Williamson, and Nathan Wachholz of Google Project Zero disclosed multiple vulnerabilities in libxml2, a widely used XML parser developed for GNOME. Maddie Stone discovered an integer overflow in the function xmlParseNameComplex (CVE-2022-40303) that can be triggered by including a name that is 0x80000000 bytes or more long. A sample file to reproduce this crash can be crafted very simply with:
python3 -c 'print("<!DOCTYPE doc [\n<!ATTLIST src " + "a"*(0x80000000) + " IDREF #IMPLIED>")' > name_big.xml
CVE-2022-40304 is another vulnerability in libxml2, but caused by entity reference cycles being handled improperly for dicts, leading to memory corruption. The commit message of the fix for this bug reads: “When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.”
The above issues may be interesting targets for attackers as libxml2 is used in many applications, including Webkit, which prompted Apple to release MacOS 13.0.1 and iOS 16.1.1 to address them. Worryingly, these vulnerabilities could lead to arbitrary code execution in the process parsing an attacker-controlled XML document. While CVE-2022-40303 requires that the “XML_PARSE_HUGE” option be enabled for the library to be vulnerable – as it requires parsing a 2GB+ file – there is no such requirement for the reference cycle issue.
What can I do?
Developers should update libxml2 dependencies to version 2.10.3, which has patched the vulnerabilities. Apple users should also update to MacOS 13.0.1 and iOS 16.1.1 to address these vulnerabilities on those platforms.
CVE-2022-41622 + CVE-2022-41800: Are they a big deal?
What is it?
Rapid 7 discovered two vulnerabilities in F5 BIG-IP and iControl that can lead to remote code execution (RCE). CVE-2022-41622 is a cross-site request forgery (CSRF) vulnerability that can lead to unauthenticated RCE! A chill just ran up my spine, and I have the heat cranking! This issue exists because the endpoint “/iControl/iControlPortal.cgi” did not have any protection against CSRF. This endpoint provides several APIs, including upload_file and create_user capabilities.
CVE-2022-41800, on the other hand, is an “RPM Spec Injection” vulnerability that can result in authenticated RCE; the ‘authenticated’ qualifier is due to the vulnerability existing in an administrator-only page. By including a crafted JSON payload with an authenticated administrator session, it is possible to perform command injection.
While both issues result in remote code execution, the first issue can be exploited pre-auth using CSRF by planting binaries using the upload_file API. During exploitation, this was used to create a file at “/shared/f5_update_action,” which is executed two minutes after boot. Additionally, the iControlPortal.cgi script is setuid root, allowing the same vulnerability to be exploited with the create_user action to create a new root user which could then be used to login via SSH. Both of the above techniques can be seen in the PoC on GitHub. Despite the seriousness of these vulnerabilities, Rapid7 claims that “widespread exploitation of the issues in this disclosure is unlikely” due to the multiple requirements that all must be satisfied in order to be exploited. These include targeting a user that has an authenticated session to the control interface, or already having credentialled access to the server. With this in mind, affected users don’t need to stay up late hitting F5 waiting for patches!
What can I do?
F5 responded to these disclosures by asking users to evaluate their risk given the limitations of the vulnerabilities and said they would make engineering hotfixes available upon request. Proper fixes will be included in a future release. Thankfully, F5 has stated that there has been no indication of these vulnerabilities being actively exploited.
This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.